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Hamaty, Christopher 



From: Patrick Inouye fpjsjnouye@oarthlink.netJ 

Sent: Thursday, April 26, 2001 1 2:12 PM 

To: Christopher Hamaty 

Subject: New disclosures 



Disclosure Memo 
Apr2001.pdf ( w 

Chris, 



Per my meeting with Victor on 4/3/01, I obtained the following disclosures. 

Best regards, 
Patrick 
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MEMORANDUM 



Christopher J. Hamaty, Esq. 
Network Associates, Inc. 



From: 



Patrick J.S. Inouye 



Date: 



April 24, 2001 



Re: 



New Invention Disclosures 



DocketNo.: 002.0002.01 



During my meeting at Network Associates' Beaverton, Oregon office on April 3, 2001, 1 met with 
Victor Kouznetsov and colleagues, and obtained the following invention disclosures: 

1. Secure Remote Configuration Network Appliances Using Web-Based Administration 

Inventors: Victor Kouznetsov, Dan Melchione, Michael Pak, and Nick Hogle 
Conception: May- June 2000 
Disclosure: March 2001 (beta testing) 

Background: Network appliances are gaining increasingly widespread usage. These devices 
include firewall, storage, printer and server-type devices. Each requires configuration and 
administration. 

Solution: The invention is directed to providing a web-based solution to administering and 
configuring network appliances. The following procedure is followed: 

1 . Plug network appliance into a network as a customer. 

2. Connect to a Web portal. 

3. Credential the network appliance. 

4. Receive applets into the network appliance. Note: the applets are able to self- 
configure a non-configured network appliance. 

5. Run a browser application in a client on the network. 

Using the browser, a user can 15 talk" to the network appliance. A sequence of broadcast 
messages is used to configure the network appliance. 

Disclosure Memo Apr 200 1 -]- 
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In the preferred embodiment, the configuration is performed in a secure manner. Once 
configured, the network appliance requests signed packets from the server. 

In a further embodiment, the client browser can be used to configure the network appliance. 
First, a signed applet is broadcast to the network appliance, using a media access controller 
(MAC) address. Alternatively, the network appliance can directly request packets from the 
portal. 

Note that two digital signatures, including date and time stamps, are required to prevent replay 
attacks. 

Prior art: DHCP devices offer a similar form of configuration of network appliances. 
However, DHCP uses push technology and lacks the security provided by digital signatures. 



2. Secure Network Appliance Management Framework 

Inventors: Victor Kouznetsov, Michael Pak, Dan Melchione, Ian Shaughnessey 
Conception: August 2000 
Disclosure: August 2000 

Background: The population of components of a network, including network appliances* can 
change over time. Maintaining the configuration and currency of the software and 
configurations is complicated by a dynamically changing environment 

Solution: A secure beat (SB) is communicated from the network appliances to the 
configuration server. The network appliances and peer network devices must be HTTP or 
H i IPS compliant A list of components is periodically pulled by each appliance and 
compared. Static components, that is, components shared with other users, such as .dat files 
and dynamic components, that is, components maintained in the client space, are updated and 
patched as necessary. 

Operationally, each network appliance registers at a server component website. The secure 
beat is periodically sent out to the central server. Missing a "beat" will generate an event at 
the server. Each network appliance will periodically upload and download information as 
needed to maintain the status of virus scanning software, package updates, and configuration 
information. 

Note: the framework does not require a "hole" in the firewall. Remote configurations, 
installations and updates are received in a secure manner and fed back to the central repository 
for reporting purposes. Thus, network appliances are converted into configuration delivery 
platforms, allowing secure provisioning of systems for network appliances. 

Prior art None. 
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3. Dynamic Parsing of Transient Messages 
Inventors: Davide Libenzi 
Conceived: December 2000 
Disclosure: December 2000 

Background: The same electronic mail messages are often circulated among many different 
users within a single enterprise computing environment. Ideally, each user will have anti- 
virus protection measures in force. However, a high degree of duplication occurs due to 
redundant scanning by each of the users of the same identical electronic mail messages. 

Solution: A virus screening system is introduced at the network application gateway. The 
virus screen provides SMTP- compliant content filtering. A decision on whether to accept or 
reject an e-mail message is made as the e-mail is transmitted. For instance, the subject line is 
typically received before the body of the message. Virus screening rules can be applied as the 
message is received, thereby dramatically reducing the number of messages received in toto. 

Network appliances can also provide virus screening. An incoming message stream can be 
preflltered and anti- virus rules applied in a like manner. 

Prior art: None. 

4. Efficient Virus Scanning of Transient Messages Using Dynamically Cacbeable Digests 
Inventors: Dan Meichione and Davide Libenzi 

Conceived: April 3, 2001 
Disclosure: None 

Background: This invention builds on the previous invention by further streamlining the virus 
screening process. 

Solution: An index table of scanned e-mail is created. As new messages are received, the 
location of the message is stored and a cryptohash of the information, or a subset, such as the 
header, is pulled as a digest. Consequently, virus screening of subsequent messages uses the 
cryptohash digest in lieu of the message, thereby enabling rapid detection of duplicate 
messages. 

Prior art: None. 
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5, Selectively Applying Message Digests of InfectibJe Message Parts for Efficiently and 
Dynamically Performing Virus Scanning 

Inventor: Dan Melchkwe 

Conceived: April 3, 2001 

Disclosure: None 

Background: See #4 above. 

Solution: The system maintains a parse tree of infectable parts of e-mail messages. The parse 
tree contains headers, bodies, and attachments as necessary, preferably using MIME encoding. 
The parse tree is cached, thereby saving time and avoiding duplicative work to scan messages 
over. 

The system performs, a selective comparison of messages and only compares those parts 
which are infectable. This approach saves time with forwarded messages where an 
attachment need not be rescanned. 

Prior art: None. 

6. File-Based Mail Store Indexed Using Hashed Filenames 
Inventor: David Libenzi 

Conceived: October 2000 
Disclosure: December 2000 

Background: The storage of electronic mail messages is generally based on the file system 
upon which the mail service operates. Certain file systems, such as the EST-2 file system 
under the Linux operating system, is inefficient when handling large directories. Moreover, 
large directories and deep subdirectory trees are often non-portable and cannot be used by 
gateway systems. 

Solution: The performance of mail service can be optimized by creating a hash table of 
messages. Preferably, the hash table uses a double -prime-+2 methodology, whereby a 
message filename is hashed to determine a subdirectory in which to store the message. This 
approach creates a portable solution and allows messages to be recovered in an expedient 
manner. 

Prior art: None. 
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7. Application Service Delivery Architecture 

Inventors: Victor Kouznetsov, Michael Pak, and Dan Melchione 

Conception: May 2000 

Disclosure: March 2001 (beta testing) 

Background: As network appliances become increasingly ubiquitous, these devices offer an 
opportunity to deliver services directly to end-users. 

Solution: Network appliances can be augmented to deliver functionality and ongoing services 
to end -users. This approach represents the automation of the virtual personal network concept 
in which end appliances provide subscription monitoring update configuration services in a 
closed loop format. The paradigm is to use web service to deliver provisioning, web browsers 
to deliver ubiquitous information access, and network appliances top deliver applications. 

Prior art: None. 
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